window-actor-x11: Check array bounds before accessing array

scan_visible_region() scans through each value of a uint8_t array and checks whether that value is 255. Right now it always checks one value too much though, resulting in a buffer overflow. Fix that by checking the array bounds before actually accessing the array. Found by running gnome-shell with address sanitizer and starting GIMP. Part-of: <https://gitlab.gnome.org/GNOME/mutter/-/merge_requests/2856>
author: Jonas Dreßler <verdre@v0yd.nl> 2023-02-19 12:19:43 +0100
committer: Marge Bot <marge-bot@gnome.org> 2023-03-26 11:51:02 +0000
commit: 7455c293c66898ca0841f5f984ada43feb5c088a (patch)
tree: 922246a52f0e44b0c56af0e375fd5ab6535a6673
parent: 679d2fb4e069ac7fbb021dda24f97fdc875274fb (diff)
download: mutter-7455c293c66898ca0841f5f984ada43feb5c088a.tar.gz
1 files changed, 1 insertions, 1 deletions
diff --git a/src/compositor/meta-window-actor-x11.c b/src/compositor/meta-window-actor-x11.c
index bdca02eb9..edc48885e 100644
--- a/src/compositor/meta-window-actor-x11.c
+++ b/src/compositor/meta-window-actor-x11.c
@@ -723,7 +723,7 @@ scan_visible_region (guchar         *mask_data,
           for (x = rect.x; x < (rect.x + rect.width); x++)
             {
               int x2 = x;
-              while (mask_data[y * stride + x2] == 255 && x2 < (rect.x + rect.width))
+              while (x2 < (rect.x + rect.width) && mask_data[y * stride + x2] == 255)
                 x2++;
 
               if (x2 > x)
author	Jonas Dreßler <verdre@v0yd.nl>	2023-02-19 12:19:43 +0100
committer	Marge Bot <marge-bot@gnome.org>	2023-03-26 11:51:02 +0000
commit	7455c293c66898ca0841f5f984ada43feb5c088a (patch)
tree	922246a52f0e44b0c56af0e375fd5ab6535a6673
parent	679d2fb4e069ac7fbb021dda24f97fdc875274fb (diff)
download	mutter-7455c293c66898ca0841f5f984ada43feb5c088a.tar.gz